Why would I care if phishing comes "from" my domain?
Put yourself in the place of your customers, partners and suppliers. If you received an email that appeared to be from one of them but it turned out the be phishing, would you still trust them? Would that erode their brand in your mind? Would you be more likely to check their legitimate emails for mistakes, issues, and threats? Phishing using your domain hurts your brand, even when your customers know that you are not responsible! Further, phishing puts your email delivery at risk. Increasingly, email inbox providers like Google, Yahoo! and Outlook.com look at the domain an email comes "from" and what the reputation of that domain is in their systems. If your domain name has been used for phishing, then all of your email may come under additional scrutiny. If uncontrolled, this could lead to mistaken blacklisting or lower inbox placement.
How do I recognize phishing from my domain?
Occasionally, email recipients will ask you directly "Did you send this email?", but by then, it's already too late. Phishing emails are like cockroaches - seeing one means potentially hundreds hidden in the woodwork. Without adopting three new(ish) technologies, you really can't know when your domain is being used for fraud and phishing. The technologies you need to think about are SPF, DKIM and DMARC, and each work together. SPF allows you to tell the world who can send email on your behalf, DKIM allows you to digitally sign your emails and DMARC allows you to designate an email address for feedback on your email, among other things. Once you have SPF and DKIM setup for most of your email, you can get feedback on your email via the email address in the DMARC record. Each email inbox provider (Google, Yahoo!, Outlook.com, etc.) will provide feedback containing everyone sending email for your domain - legitimate and phishing - that they received. You'll want to comb through that feedback to identify IP addresses and domains not legitimately connected to your business.
How do I stop phishing with my domain?
Here again, SPF, DKIM, and DMARC are important technologies to understand. IP addresses and Domains that fail alignment or authentication with SPF, DKIM or DMARC will be likely candidates for phishing scams. However, these may also be legitimate senders that are misconfigured or not included in you SPF. You will want to investigate each to make a determination as to their legitimacy. Once you are sure you know who is legitimate and that they are passing SPF, DKIM and DMARC checks, you can begin to tell inbox providers what to do with email that fails these checks. DMARC allows you to set the steps a recipient should take with email that is failing SPF, DKIM and/or DMARC checks:
- None - Do Nothing
- Quarantine - Set this email aside and tell me you quarantined it
- Reject - Bounce the email entirely
Your DMARC record also allows you to set the percentage of traffic subject to these rules, from 0-100%. This level of granularity is important in allowing you to control how quickly you move all of your email to a reject status. In this way you can test to see if any legitimate email is affected without negatively impacting your business. Once you reach a 100% Reject policy, you will be filtering out all of the phishing using your domain.